Amazon’s Kindle: Some Interesting Security Thoughts
My Kindle2 showed up yesterday. I un-boxed it, turned it on and within 3 minutes had downloaded my first book and was reading away (Thomas Barnett's "Great Powers," if you must know.)
So this morning after I checked my email on my other indispensable tool/toy, my iPhone, I realized something was missing from the Kindle: a password.
So you might think "Hoff, why would you need a password for a device that lets you read books?'
Well, while it's true that the majority of users will simply read "off-the-shelf" books/blogs/magazines they download from Amazon.com's storefront on their Kindles, there are a couple of other interesting scenarios that ran through my mind:
- To purchase a book using the Kindle, the device is linked to Amazon's One-Click purchase capability. This means that once I choose to purchase a book, I simply click "Buy" and it's delivered to the device, automagically charging my credit card. If I lost my device, someone who found it could literally download hundreds of books to the Kindle on my nickel until I am able to do something about it. This would be short-lived, but really annoying.
- It is possible using an Amazon web service to convert documents into the Kindle Format and download them over WhisperNet to your device. Given how convenient this is for reading, imagine what would happen if some crafty person decided to convert and download a sensitive document to the Kindle and then lose the device. Imagine if that document contained PII or other confidential/sensitive information? I wager we'll see a breach notification being issued based on someone losing a Kindle.
Yes, I know it's a piece of "consumer" equipment, but look a little further down the line: college students using it for textbooks and all sorts of other communications, business people using it for reading corporate materials, etc…
I am interested in exploring the following elements in the long term:
- An option for password-protected access to the device itself.
- A content-rating based password-controlled parental rating system for certain materials. My kids already grabbed my Kindle and (see #1 above) downloaded 3 kids books to it. I may not want them to read certain content.
- Remote self-destruct
- Encryption of content (at rest, in motion)
- Security of Whispernet itself
- WiFi (and it's attendant issues)
I'm sure as I dwell on this, there will be other issues that crop up, but the security wonk in me was in full gear this morning.
You have any other security shortcomings or concerns you've thought of re: the Kindle?